Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Blocking external IP addresses
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Blocking external IP addresses
Dear All,
I'm new to Fortigate and new to the forum. Anyway, I have a problem configuring policies for blocking unwanted access from some external/malicious IP addresses.
Here's what I did.
config firewall policy
edit 4
set uuid 10be693f-5610-45a9-bebc-c27bd394177f
set srcintf "any"
set dstintf "any"
set srcaddr "group-blacklist"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
I have put the policy on top of the list. However, when I tried accessing my FW from blocked IP address, it still can go through and no traffic were recorded to the policy log. Am I missing any steps or is there any other way? Thank you guys.
Fortigate 60D
v5.2.6,build711 (GA)
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not about VIPs but administrative access to the FGT, right?
You can do 2 different things:
1- only allow certain public IPs to access the FGT (white listing) - go to System>Admin>myadmin>TrustedHosts
2- create a local-in policy which uses a predefined custom address group as source address(es). Local-in policies are only managed in the CLI.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to do the "set action deny".
And try to specify the source and destination-interface, that's best practice.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did set the action to deny. In my case, I want to block external IP addresses from accessing my WAN interface. How do I set the source interface and destination interface? Is there an access control list to do that or am I missing anything? Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I had the same problem v5.2.6 , in the end the fix was not to set the dstaddr to all but to specify each of the VIPS. Once I did that the external IP address was blocked and I could see the entries in the log
Hope that helps
Ian
Web: www.activatelearning.ac.uk
Twitter: twitter.com/activate_learn
Facebook: facebook.com/Activate-Learning
Web: www.activatelearning.ac.uk
Twitter: twitter.com/activate_learn
Facebook: facebook.com/Activate-Learning
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not about VIPs but administrative access to the FGT, right?
You can do 2 different things:
1- only allow certain public IPs to access the FGT (white listing) - go to System>Admin>myadmin>TrustedHosts
2- create a local-in policy which uses a predefined custom address group as source address(es). Local-in policies are only managed in the CLI.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the best way to block an external IP trying to connect to services like IKE ?
I tried to create the following policy with no luck! :
Incoming interface WAN1
Outgoing interface? (IPSEC_VPN or Internal, or ....?) tried both
Source IP address: is set to mach the range of IP that I want to block
Destination addres : is set to all
Service: all
Sechule: always
Action: Deny
The policy is placed at the very top
Also I tried to config the Local-In_policy as follows
Edit 1
set intf WAN1set srcaddr <Group_of_blocked_addresses>set dstaddr <All>set service <IKE>set schedule <Always>
I tried to set the action to deny but it wont accept it!
Any ideas how this is accomplished!! I came from Juniper and denying external IP's was not a project!
Forgot to mention that I limited access to the device by setting the trusted sources to my internal IPs in the admin section to enhance the device security.
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Did you find a solution to this problem? I have the same issue i can understand what is the reason
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@SamH, local-in policy is the way to go for blocking access to the FGT itself from specific IPs. Are you sure the FGT didn't allow you to set action to deny? Did it give you an error? Remember that local-in policy action is "deny" by default, so since running a show command won't display any default values it wouldn't show up. What does "show full" give you for the local-in policy?
Also, assuming the issue is these specific IPs trying to access the FGT's wan ports, do you need to have admin access on the wan ports? Unless you really need it, your wan interfaces should have all administrative access turned off. And if you do need it, as ede_pfau suggested, it's best to only allow specific trusted hosts.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since yesterday that i applied the local-in-policy as suggested it worked
and for me at least the device allow me to set the action to deny with out any problems.
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did try the Local-in policy but it did not allow me to set the action to deny !!!
Any thoughts?
Thank you
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- fortigate 7.0.16 block all public ip... 94 Views
- Issues with IPsec VPN and RTSP... 245 Views
- Forti vm strange request 495 Views
- Fortigate VM Double NAT issue in... 238 Views
- Block Sources by origin ISP for... 241 Views
Labels
-
FortiGate
8,472 -
FortiClient
1,716 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiSwitch
457 -
FortiAP
457 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
177 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1661 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.